Another Behavior of the TEST RULE Button in Threat Management Gateway 2010

Recently, I worked on a case wherewe were publishing Exchange CAS (Client Access Servers) servers on TMG. We were seeing some unexpected behavior while using KCD (Kerberos Constrained Delegation) as the Authentication Delegation Method and using a Web Farm in the Publishing Rule.

The Scenario was like this.

We were publishing the target CAS servers as a Web Farm and using KCD as the Delegation method. Therefore, the SPN specified on Authentication Delegation was “http/*”.

But when we were using TEST RULE Button to Test this, we were getting the Following Error:

Category: KCD error

Error details: There is no suitable Service Principal Name (SPN) entry found for this Forefront TMG computer in Active Directory. Action: Kerberos Constrained Delegation requires the Forefront TMG computer to be trusted for delegation for any authentication protocol and the Service Principal Name (SPN) used by Forefront TMG must be added to Active Directory

However, when we tried to Access Exchange Services like OWA, Active Sync etc. externally, everything worked just fine.

So, that made us believe that there is something wrong with the TEST RULE Button here in this case.

Further Troubleshooting:

Then we tried to put the SPN with the name of one of the CAS servers in the Authentication Delegation Tab. And now when we ran the TEST RULE again it was Successful.

While researching the issue further, we discovered that this behavior is a known issue that is currently under investigation.

CONCLUSION:

If you are publishing a Web Farm using KCD as the Delegation method, and find that using the “Test Rule” button gives the above error, try testing connectivity/authentication from an external client. As the “Test Rule” button may not be a reliable test with this publishing scenario, you should test using an external client.

i recently recognized this behavior while troubleshooting a setup of a colleagues Testlab-Setup. Could it be that if FF-TMG-FW-Svc runs as a Domain-Account (>=SP2) and the KCD is configured ONLY for the domain account and not for the TMG-Computer-Account (or maybe even the User-Account because that´s the context the MMC runs in ?!) would be an explenation ?